IT security audit
in Reunion Island — assess your risks
Is your SME truly protected? An IT security audit uncovers the vulnerabilities you don't know about — before an attacker exploits them. ECLAUD IT audits your infrastructure according to the ANSSI framework, in Reunion Island and in mainland France.
48% of French SMEs have no formalised cybersecurity strategy. Yet micro-businesses and SMEs represent 58% of ransomware victims (ANSSI 2023). An IT security audit identifies your vulnerabilities, assesses your risks and produces a prioritised action plan — in 1 to 5 days depending on the size of your IT estate. ECLAUD IT conducts audits based on the ANSSI 42 IT hygiene measures.
Why an IT security audit is essential
The figures are unambiguous. In 2023, 58% of ransomware victims in France were micro-businesses and SMEs (ANSSI). In 2025, ANSSI recorded a further 128 ransomware compromises, with increasingly sophisticated strains: Qilin (21% of cases), Akira (9%), LockBit 3.0 (5%).
And yet, 48% of French SMEs have no formalised cybersecurity strategy (Konica Minolta 2025). Most business owners think "it only happens to large corporations". The opposite is true: attackers target SMEs precisely because they are less protected, not less interesting.
The problem is not that SMEs are negligent — it is that they do not know where their vulnerabilities lie. An admin password shared for 3 years. A server that has not been patched for 14 months. A firewall whose rules have never been reviewed. These vulnerabilities exist in almost every SME we audit.
"60% of SMEs that suffer a major cyberattack close within 6 months. The average cost of an incident for an SME: €50,000 to €100,000." — ANSSI / RESCO
An IT security audit is the first step. Not the most spectacular, but the most important: you cannot protect what you do not know. Before deploying a Fortinet firewall or an EDR, you need to know what is vulnerable in your IT estate.
For a complete view of our cybersecurity approach, visit our SME cybersecurity in Reunion Island page.
Our 5-step audit methodology
Our approach is based on the ANSSI IT hygiene guide (42 measures) and the "Cybersecurity for micro-businesses and SMEs in 13 questions" guide. Each audit is tailored to the size and sector of your company.
IT estate mapping
Full inventory of your infrastructure: workstations, servers, network equipment, applications, remote access, cloud. You can only protect what you know.
Vulnerability scanning
Automated analysis of your network and systems to identify known vulnerabilities: outdated software, open ports, dangerous configurations, expired certificates.
Targeted penetration tests
Simulation of real attacks on your entry points: simulated phishing, unauthorised access attempts, privilege escalation. We test the way an attacker would.
Configuration review
Review of Active Directory policies, access rights, firewall rules, backups, antivirus, MFA. Comparison against the ANSSI 42-measure reference framework.
Report and action plan
Detailed deliverable: prioritised risk matrix, ranked recommendations (quick wins vs projects), budget estimate, remediation schedule.
What the audit reveals — concrete examples
After dozens of audits carried out for SMEs in Reunion Island and mainland France, the same vulnerabilities recur consistently. Here is what we find in the majority of companies we audit.
Weak or shared passwords
99% of identity attacks are password attacks. We regularly find admin accounts with passwords like "company2024" or passwords shared among 5 colleagues.
Unpatched servers and workstations
Critical security updates pending for 6, 12, sometimes 18 months. Each missing patch is an open door — strains like Qilin or Akira exploit these known vulnerabilities.
Backups never tested
The backup runs — but no one has ever verified it can be restored. On the day of a ransomware attack, you discover the files are corrupted or that the NAS was also encrypted.
Unsecured remote access
Remote desktop (RDP) exposed to the internet, VPN without MFA, former employee accounts still active. All entry vectors for an attacker.
These are the vulnerabilities that ransomware exploits first. An audit makes it possible to identify and fix them before they are exploited. To understand how to concretely protect yourself against ransomware, visit our dedicated SME ransomware protection page.
Our audit tools — technologies used
We use industry-standard tools in the cybersecurity field — the same ones used by certified auditors and ANSSI teams. No opaque "in-house software" — proven tools whose results are verifiable.
Vulnerability scanning
Nessus / OpenVAS — industry-standard network vulnerability scanners. Detection of known vulnerabilities (CVE), dangerous configurations, outdated software. Detailed reports with criticality scores.
Web penetration testing
Burp Suite — web application security testing tool. Detection of SQL injections, XSS, authentication vulnerabilities. Used to audit your customer portals, intranets and business applications exposed to the internet.
Network analysis
Wireshark — network protocol analyser. Detects unencrypted traffic, suspicious communications, unknown devices on your network. Essential for post-incident analysis.
Active Directory audit
PingCastle / BloodHound — tools specialised in Active Directory auditing. Detection of attack paths, accounts with excessive privileges, dangerous GPO configurations.
All tools used are documented in the audit report. We explain what each tool tested and what it found — no jargon without context.
ANSSI checklist — the 42 IT hygiene measures
ANSSI publishes a guide of 42 IT hygiene measures that every company should apply. Our audit assesses your compliance with each of these measures. Here are the main categories.
Know your IT estate
Hardware/software inventory, network mapping, list of access rights and permissions, identification of sensitive data
Authentication & access
Strong password policy, MFA on sensitive access, removal of unused accounts, least-privilege principle
Backups
Regular backups (3-2-1 rule), restoration tests, air-gapped backups (anti-ransomware), encryption of backed-up data
Updates
Patching policy, automatic updates enabled, vulnerability monitoring, replacement of obsolete systems (Windows 7, Server 2012...)
Firewall & network
Correctly configured firewall, network segmentation, secure Wi-Fi (WPA3), guest/production network isolation
Awareness
Phishing training for staff, signed IT charter, incident alert procedure, simulation exercises
In addition to the ANSSI framework, we verify your GDPR compliance — a point often overlooked in purely technical audits. Personal data protection, retention periods, data subject rights: these are also IT security topics. To find out more, visit our GDPR for SMEs in Reunion Island page.
How much does an IT security audit cost?
| Plan | Duration | Scope | Indicative price |
|---|---|---|---|
| Flash audit | 1 day on-site | Mapping, vulnerability scan, summary report | From €900 |
| Full audit | 3-5 days | Scan + pentest + organisational audit + detailed report | From €2,500 |
| Quarterly follow-up | Half-day / quarter | Re-scan, remediation tracking, security dashboard | Custom quote |
All audits include a written report with a risk matrix and prioritised action plan. The Cyber PME programme (Bpifrance / France 2030 — €12.5M budget) can fund part of your audit and implementation of the recommendations. We assist you in the application process.
FAQ — IT Security Audit
How long does an IT security audit take?
A flash audit (SME with 5 to 20 workstations) takes 1 day on-site + 2 days of analysis and report writing. A full audit with penetration tests takes 3 to 5 days. In both cases you receive an actionable report with prioritised recommendations.
Will the audit disrupt my business operations?
No. Vulnerability scans are carried out during off-peak hours or at the weekend. Penetration tests are controlled and do not cause any service interruption. We plan every step with you to minimise impact on your operations.
My company is too small for a cyber audit, isn't it?
The opposite is true: 58% of ransomware victims in France are micro-businesses and SMEs (ANSSI 2023). Attackers target smaller organisations precisely because they are less protected. A one-day flash audit is accessible and can save months of hardship.
What is the difference between an audit and a pentest?
A security audit is holistic: it covers the organisational (policies, procedures), technical (configurations, vulnerabilities) and human (awareness) dimensions. A penetration test is a subset of the audit: it simulates a real attack to test the resilience of your defences.
Are there financial grants for a cybersecurity audit?
Yes. The Cyber PME programme (Bpifrance / France 2030) funds the cybersecurity diagnostic and action plan for SMEs. National budget of €12.5 million. ECLAUD IT guides you through the application process and the implementation of the recommendations.
What happens after the audit?
You receive a detailed report with a risk matrix and a prioritised action plan. We can then support you in remediation: deploying fixes, implementing MFA, configuring backups, training your teams. Quarterly follow-up available.
You don't know where
your vulnerabilities are — we do
IT security audit in Reunion Island and mainland France. Free initial diagnostic, no commitment.